Preventing PHP execution in Uploads Directory


WordPress is vulnerable to many security issues. Not every developer of plugins properly sanitize file uploads which can allow an attacker to run malicious files on your WordPress website which can ultimately compromise other websites in your account. The way that NodeSpace accounts are setup, scripts ran in your account are limited to only your account (i.e. if one user gets infected, it's impossible for the infection to spread to other user accounts on the servers).

To mitigate this issue, we strongly recommend that you disable PHP script execution in your uploads directory.

Create a text file in your uploads directory (located at wp-content/uploads) called .htaccess (note that the file name starts with a dot).

In this file, add the following code:
<Files *.php>
deny from all
</Files>

Save the file.

This code says that any PHP file, regardless of it's name, do not allow anyone to run it.

Comments

  Add Comment

Confirm Submission

Please enter the text from the image in the box provided, this helps us to prevent spam.